Top 10 security vulnerabilities in .NET configuration files: are your web applications vulnerable?
Even the smallest opening in your web application layer can grant full access to an intruder. A hacker armed with nothing more than a web browser and knowledge of basic programming techniques can steal your most sensitive information by taking advantage of openings that exist in the the web server, application configuration and source code. This free white paper, from HP Software, discusses the 10 most common .NET application configuration mistakes, the devastating effects those mistakes can have as well as best practices for managing configuration files to prevent attacks.
https://h10078.www1.hp.com/cda/hpdc/navigation.do?action=downloadPDF&zn=
bto&cp=54_4012_100__&caid=14532&jumpid=ex_r11374_us/en/large/tsg/Top10_S
ecurity_Vulnerabilities_WP_Newsletter/3-1A4COJW_3-ULBT8Q/20080429&origin
_id=3-1A4COJW

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

I. FRONT AND CENTER
---------------------
1.Just Who's Being Exploited?
By Jamie Reid
Last month's revelation that Tipping Point paid out a prize of $10,000 and a new laptop (MSRP: about $2000) at the CanSecWest conference, for the privilege of being the exclusive licensor of a heretofore unpublished vulnerability in Apple's Safari web browser to researcher, Charles Miller of Independent Security Evaluators, may lend some credence to this adage.
http://www.securityfocus.com/columnists/470

2.On the Border
By Mark Rasch
Recently, I was going through an airport with my shoes, coat, jacket, and belt off as well as with my carry-on bag, briefcase, and laptop all separated for easy inspection. I was heading through security at the Washington D.C., Ronald Reagan National Airport in Arlington, Virginia, or "National" as we locals call it. As I passed through the new magnetometer which gently puffed air all over my body -- which to me seems to be a cross between a glaucoma test and Marilyn Monroe in Gentlemen Prefer Blondes -- a TSA employee absent-mindedly asked if he could "inspect" my laptop computer. While the inspection was cursory, the situation immediately gave me pause: What was in my laptop anyway?
http://www.securityfocus.com/columnists/469

- A denial-of-service vulnerability caused by a write-access violation.
- A denial-of-service vulnerability caused by a read-access violation.
- A vulnerability that allows attackers to spoof the content contained in the address bar.

An attacker can exploit these issues to crash the affected application or cause the victim to interact with the attacker's malicious site.

This issue affects Apple Safari 3.1.1 for Windows; other versions may also be affected.

Remote attackers can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

Attackers can exploit this issue to execute arbitrary code within the context of the affected service. Successfully exploiting this issue may facilitate in the remote compromise of affected computers. Failed exploit attempts will likely crash the affected application.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Successfully exploiting this issue will compromise the application and possibly the underlying computer.

Successfully exploiting this issue allows attackers to execute arbitrary code with the privileges of a user running the application. Failed exploit attempts will result in a denial-of-service condition.

ImageMagick 6.2.8-0 and 6.2.4-5 are vulnerable; other versions may also be affected.

Successfully exploiting this issue allows attackers to execute arbitrary code with the privileges of a user running the application. Failed exploit attempts will result in a denial-of-service condition.

Attackers may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to steal cookie-based authentication credentials and to launch other attacks.

This issue affects versions prior to Apple Safari 3.1.1 running on the following platforms:

These issues allow remote attackers to crash affected FTP servers, denying service to legitimate users. Given the nature of these issues, attackers may also be able to execute arbitrary code, but this has not been confirmed.

XM Easy Personal FTP Server 5.4.0 is vulnerable; other versions may also be affected.

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

V. SPONSOR INFORMATION
------------------------
This issue is sponsored by HP

Top 10 security vulnerabilities in .NET configuration files: are your web applications vulnerable?
Even the smallest opening in your web application layer can grant full access to an intruder. A hacker armed with nothing more than a web browser and knowledge of basic programming techniques can steal your most sensitive information by taking advantage of openings that exist in the the web server, application configuration and source code. This free white paper, from HP Software, discusses the 10 most common .NET application configuration mistakes, the devastating effects those mistakes can have as well as best practices for managing configuration files to prevent attacks.
https://h10078.www1.hp.com/cda/hpdc/navigation.do?action=downloadPDF&zn=
bto&cp=54_4012_100__&caid=14532&jumpid=ex_r11374_us/en/large/tsg/Top10_S
ecurity_Vulnerabilities_WP_Newsletter/3-1A4COJW_3-ULBT8Q/20080429&origin
_id=3-1A4COJW